Treat `Em Like Other Devices: User Authentication of Multiple

advertisement
Treat ’Em Like Other Devices:
User Authentication of Multiple Personal RFID Tags
Nitesh Saxena
Md. Borhan Uddin
Jonathan Voris
Polytechnic Institute of NYU
Six MetroTech Center
Brooklyn, NY 11201
Polytechnic Institute of NYU
Six MetroTech Center
Brooklyn, NY 11201
Polytechnic Institute of NYU
Six MetroTech Center
Brooklyn, NY 11201
nsaxena@poly.edu
borhan@cis.poly.edu
jvoris@isis.poly.edu
ABSTRACT
User-to-tag authentication can prevent a variety of potential
attacks on personal RFID tags. In this poster, a new RFID
authentication scheme is presented that allows a user to control when a tag responds to queries by leveraging a mobile
phone. The design and implementation of this approach is
presented along with a study of its usability.
1.
INTRODUCTION
RFID tags respond promiscuously to all queries issued by
any reader. This leads to security and privacy concerns for
personal tags, such as those used in access cards. Since a
malicious entity can easily read a tag without the authorization or knowledge of the tag’s owner, a variety of attacks are
possible on this class of devices. These include clandestine
eavesdropping and relaying [2, 3]. It is therefore necessary to
authenticate users to their RFID tags to address this issue.
Fundamental difficulties exist in developing viable user-to-tag
authentication methods, however. Since RFID devices are designed to be transparent to their users, they lack any user
interfaces. Moreover, RFID usage is atypical compared to
that of other devices in that most users prefer to keep their
tags stored in their wallet or pocket during authentication [1].
This means that any user-to-tag authentication system must
be careful not to inadvertently unlock all stored tags when
a user attempts to unlock a single tag, as this would allow
attacks to be mounted on the other devices. The problem
of RFID authentication becomes quite challenging in light of
these issues. This poster proposes a novel means of authentication between a human and her personal RFID tags. This
approach, called PIN-Vibra, allows a user to control when and
where her RFID tags can be accessed.
Mobile phones have become an integral and indispensable
part of users’ lives and are consistently available. Such a device can therefore be effectively exploited to achieve strong
RFID authentication. In the PIN-Vibra approach presented in
this poster, a mobile phone acts as a token which can be used
to authenticate to an accelerometer-equipped RFID tag. Authentication is achieved by simply touching a vibrating phone
with a wallet or other object carrying a user’s RFID tags. This
technique has several advantages which are explored throughout this work. The design and implementation of PIN-Vibra on
Intel’s WISP tags [4, 5] is discussed. Furthermore, a usability
evaluation of the proposed method is presented along with its
results, which indicate that the mechanism is reasonably efficient, robust, and user friendly, despite the usage constraints
imposed by RFID technology.
2.
RELATED WORK
A recent approach called “Secret Handshakes” [1] is closely
related to this proposal. In order to authenticate to an ac-
celerometer equipped RFID device [4, 5] using Secret Handshakes, a user must move or shake the wallet containing the
device in a specific pattern. While the Secret Handshakes approach is desirable for not requiring any reader-side changes,
it also has some shortcomings. When a user shakes a wallet
in a particular manner in order to unlock a desired RFID tag,
all devices in the wallet get unlocked, enabling relay attacks
on other devices. To prevent this, each device must be associated with a unique pattern which a user must remember.
This might become cumbersome as the number of devices increases. Moreover, there might only exist a limited number of
“robust” movement patterns. Also, this scheme does not provide any protection against the loss or theft of a user’s wallet
containing the RFID devices. Finally, since Secret Handshake
authentication requires users to make a visible motion, this
authentication method is vulnerable to visual observation attacks such as shoulder surfing.
3.
RFID AUTHENTICATION USING A MOBILE PHONE
PIN-Vibra uses a mobile phone, M, as an authentication token for a user to authenticate to a RFID device, D. The crux
of the idea is to authenticate the user to D via M. Mobile
phones are not as constrained in terms of memory and computational capabilities in comparison to a human user and thus
can form the basis of strong authentication to multiple RFID
devices. Given a tag equipped with an onboard accelerometer,
and given that almost all current mobile phones have vibrational capability, PIN-Vibra builds a novel out-of-band (OOB)
channel between M and D which can be used to authenticate
the former to the latter. This communication channel is assumed to be secret as well as authenticated. Authentication
can therefore be achieved by simply transmitting a PIN or
secret key shared between M and D over this OOB channel.
Consider an adversary who attempts to launch a user impersonation or relay attack on a tag that is using PIN-Vibra.
Assume that the PIN shared between the phone and each
RFID device is p bits. Additionally, consider a user who is
restricted to q authentication attempts to the RFID device.
Once an adversary has physical access to a user’s RFID device, the probability of success of the adversary attempting
to impersonate a user and access the RFID service is at most
q/2p . Clearly, if the adversary has physical access to both the
phone and RFID, she can succeed in accessing the RFID service. Having physical access to only the phone would not be
sufficient, however.
4.
DESIGN AND IMPLEMENTATION
To test PIN-Vibra, a prototype implementation was developed using Intel’s WISP tags [4, 5]. As WISP tags, like typical RFID tags, have low computational, memory and power
capabilities, its onboard accelerometer is not able to detect
different vibration intensities. Thus, for encoding a PIN using vibration, a simple time interval based ON-OFF encoding
scheme was employed. A four-digit PIN is used in this prototype, which is equivalent to 14 bits of binary data. Three
additional bits (‘110’) are used as a “start” sequence to indicate
the beginning of the transmission. Each ‘1’ bit is converted
into a vibration of 200ms and each ‘0’ bit is converted to a
200ms interval of stillness. Thus for transmitting 4-digit PIN
a total of 17 bits of transmission are needed, resulting in a
total transmission time of 17 × 200 ms = 3.4 seconds. After booting up, the tag’s onboard accelerometer starts sensing
the vibration sequence (i.e., the encoded PIN). If the decoded
vibration sequence matches the stored PIN on the tag it transmits its ID to the reader; otherwise the tag does not transmit.
5.
EXPERIMENTATION AND EVALUATION
A usability study was conducted to investigate the viability
of the PIN-Vibra prototype. Tests were administered in which
20 subjects utilized PIN-Vibra to authenticate themselves to a
RFID reader as per a normal access card usage scenario. These
interactions were logged to measure the speed and reliability
of the prototype. Additionally, test subjects were polled using
pre- and post-condition questionnaires to determine their view
of the proposed system, particularly as compared to a typical
access card setup.
No errors caused by mistakes made by users while manipulating the mobile device were observed. This result indicates
that users are capable of authenticating themselves via a vibratory channel. The only errors observed were due to problems caused by capturing and processing the OOB vibration
transmission between the WISP tag and mobile device. While
carrying out the 80 test cases, 21.25% were transmitted completely correctly, 42.50% were off by a single bit, and 27.50%
were off by two bits. The remaining 8.75% were incorrect
in more than two of the bits transmitted. The average time
taken to complete the authentication process was 7.122 seconds with a standard deviation of 0.929 seconds. Out of the
approximately 7 seconds taken to authenticate, 3.4 seconds
were taken up by the vibration transmission and 3.6 seconds
were caused by user manipulation.
These results suggest that the vibrational authentication
scheme is a promising solution for RFID access card insecurity.
The lack of user-induced errors demonstrates the scheme’s usability. Although hardware based errors were observed, these
are less cause for concern as they can be assuaged through
hardware optimizations. While the new scheme takes slightly
longer than normal access card usage, this is a necessary tradeoff for the stronger security provided by PIN-Vibra. No average user study responses were negative for positive questions
or vice versa. Test subjects indicated agreement with statements that PIN-Vibra was easy to use, intuitive, and enjoyable.
Conversely, they felt that the scheme did not seem lengthy or
challenging.
6.
DISCUSSION
These usability study results show that PIN-Vibra takes approximately 7 seconds to complete on average. The underlying vibration channel results in a fairly high amount of 1 bit
(42.5%) and 2 bit errors (27.50%), but a low rate of errors in
3 or more bits (8.75%). Since transmission on the vibration
channel accounts for 3.4 seconds, these results also show that
the user induced delays accounted for (7 − 3.4) = 3.6 seconds
on average. Because these user actions were more or less independent of PIN-Vibra, it can be argued that RFID access card
usage can not be faster than few seconds in practice, even
without any authentication mechanism in place.
A vibration-based OOB channel was used in this authentication method due to its inherent secrecy properties. Traditional
PIN or password-based authentication methods, or other setups that utilize a visual channel, are vulnerable to visual
eavesdropping techniques such as shoulder surfing. Similarly,
there exist different possibilities for eavesdropping on a vibration channel. Specialized equipment could be designed that
utilize radar, lasers, or electromagnetic emanations to detect
vibration. Example of such a devices can be found in [7, 6].
However, these need sophisticated pieces of equipment that
would require a great deal of expertise to create and operate.
While plausible, this type of technique has challenges that
must be overcome with a combination of technical expertise
and custom built equipment. This is in contrast to traditional
authentication techniques, which can be defeated through casual observation by an unassisted human with little technical
knowledge.
7.
CONCLUSIONS AND FUTURE WORK
In this poster, a novel approach for authentication of multiple RFID tags, PIN-Vibra, was introduced. This approach
leverages a pervasive device such as a mobile phone, which
has become an inseparable part of many users’ lives. In PINVibra, this phone acts as an authentication token, forming a
unidirectional communication channel between a user and her
RFID tags. Authenticating to a RFID tag using PIN-Vibra
involves simply touching a vibrating phone to the wallet or
object carrying the tag. The design and implementation of
the new authentication method on Intel’s WISP tags was discussed. A usability evaluation of PIN-Vibra was also reported,
the results of which indicate the method to be reasonably efficient, robust, and user friendly, despite several design constraints in the context of RFID authentication. Future work
includes improving the speed and robustness of the proposed
vibration channel, looking for efficient ways to perform RFID
fallback authentication, and further usability studies with a
broader, more diverse user pool.
8.
REFERENCES
[1] A. Czeskis, K. Koscher, J. R. Smith, and T. Kohno.
RFIDs and Secret Handshakes: Defending Against
Ghost-and-Leech Attacks and Unauthorized Reads with
Context-Aware Communications. In CCS, 2008.
[2] A. Juels. RFID Security and Privacy: a Research Survey.
IEEE Journal on Selected Areas in Communications,
24(2):381–394, 2006.
[3] Z. Kfir and A. Wool. Picking Virtual Pockets using Relay
Attacks on Contactless Smartcard. In Security and
Privacy for Emerging Areas in Communications
Networks (Securecomm), 2005.
[4] A. Sample, D. Yeager, P. Powledge, and J. Smith. Design
of a Passively-Powered, Programmable Sensing Platform
for UHF RFID Systems. In IEEE International
Conference on RFID, 2007.
[5] J. Smith, A. Sample, P. Powledge, A. Mamishev, and
S. Roy. A Wirelessly-Powered Platform for Sensing and
Computation. In UBICOMP, 2006.
[6] W. van Eck. Electromagnetic Radiation from Video
Display Units: An Eavesdropping Risk? Computers and
Security, 1985.
[7] G. Williamson. Laser Microphone. Available at
http://www.williamson-labs.com/laser-mic.htm,
2006.
Download